WordPress 1.5.2 released
The WordPress team have announced a new version of WordPress (1.5.2) is now available.
The new version includes a number of improvements and security fixes.
I’ve got to agree with the comments over at No Wow though:
“The changelog mentions that several vulnerabilities have been fixed but ‘€” once again ‘€” the developers don’€™t provide any details! One has to look at the diffs to see what has been fixed… I hate that kind of silly security by obscurity. Vague vulnerability are almost useless for administrators, just saying ‘€œwe’€™ve fixed some security problems’€? is even worse!”
As WordPress users we deserve better than this. C’mon Matt and friends, your name isn’t Mena! Open source should also equal open communication.
We wouldn’t have been in such a hurry to get a release out if the security problems were obscure! The exact issues are easily findable for anyone in the security community, and there is at least one script kiddie script out there so I don’t want to point more people to it while people are still upgrading.
Think about those who did not upgrade, because of any reason.
Why should the developers give anyone the knowledge of how to attack this people?!
It is better that you simply upgrade and be left in the dark about how and why, and others won’t be attacked.
You’re not the only one who feels this way: https://blogherald.com/2005/08/14/wordpress-152-released/
At least MT has always talked about security fixes right on their hompage, even before WP came out. WP could learn from Mena.
That’s a naive argument, Eitan. Hackers are not stupid, they can figure out the issue from looking at the source code. As you’ve just demonstrated, just saying “we’ve fixed a security issue” but not giving more specific information easily leads to a false sense of security.
(Slightly longer reply to some comments I’ve received available here)
Of course anyone can dive into the code and search for it, be it a hacker, be it administrator, but it will not be simple.
The developers should not hand it “on a silver platter” â€“ it will more be a benefit for script kiddies (learn and harm) than to administrators (learn andâ€¦???).
I believe you will agree that it is better for you to be in dark than any malicious surfer being more knowledgeable.
Regarding your note (linked from your former note) â€“ I couldn’t agree more, that any software should have a simple automatic and scheduled update applet.
But don’t expect too much of the free code projects, they usually struggle to build functionality with their limited resources.
Even many commercial vendors still not at it. Go figure.